仿写的一个策略:
policy_module(minidlna, 0.1)
#############################################
#
# Declarations
#
require {
attribute reserved_port_type;
attribute port_type;
class process { signull };
type proc_net_t;
type inotifyfs_t;
};
## <desc>
## <p>
## Determine whether minidlna can read generic user content.
## </p>
## </desc>
gen_tunable(minidlna_read_generic_user_content, false)
type minidlna_t;
type minidlna_exec_t;
# initrc_t ----minidlna_exec_t---->minidlna_t
init_daemon_domain(minidlna_t, minidlna_exec_t)
type minidlna_conf_t;
files_config_file(minidlna_conf_t)
#
type minidlna_db_t;
files_type(minidlna_db_t)
#
type minidlna_content_t;
files_type(minidlna_content_t)
type minidlna_initrc_exec_t;
init_script_file(minidlna_initrc_exec_t)
type minidlna_log_t;
logging_log_file(minidlna_log_t)
#
type minidlna_var_run_t;
files_pid_file(minidlna_var_run_t)
type my_ssdp_port_t;
typeattribute my_ssdp_port_t reserved_port_type;
typeattribute my_ssdp_port_t port_type;
corenet_reserved_port(my_ssdp_port_t)
type my_trivnet1_port_t;
typeattribute my_trivnet1_port_t port_type;
################################################
##
## Local policy
##
#
allow minidlna_t inotifyfs_t:dir { getattr read};
allow minidlna_t self:process setsched;
allow minidlna_t minidlna_t:process signull;
allow minidlna_t self:tcp_socket create_stream_socket_perms;
allow minidlna_t self:udp_socket create_socket_perms;
allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
allow minidlna_t minidlna_conf_t:file read_file_perms;
#
allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
allow minidlna_t minidlna_db_t:file manage_file_perms;
#
allow minidlna_t minidlna_content_t:dir { open read getattr search };
allow minidlna_t minidlna_content_t:file { getattr open read };
#
#
allow minidlna_t proc_net_t:file { read getattr open };
#
#
#allow minidlna_t minidlna_log_t:file append_file_perms;
#create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
#
allow minidlna_t minidlna_var_run_t:file manage_file_perms;
allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
#
kernel_read_fs_sysctls(minidlna_t)
kernel_read_system_state(minidlna_t)
#
corecmd_exec_bin(minidlna_t)
corecmd_exec_shell(minidlna_t)
#
#corenet_all_recvfrom_netlabel(minidlna_t)
#corenet_all_recvfrom_unlabeled(minidlna_t)
#
#corenet_sendrecv_ssdp_server_packets(minidlna_t)
#corenet_sendrecv_trivnet1_server_packets(minidlna_t)
#
corenet_tcp_bind_generic_node(minidlna_t)
# port 8200
#corenet_tcp_bind_trivnet1_port(minidlna_t)
allow minidlna_t my_trivnet1_port_t:tcp_socket { name_bind read write };
#corenet_tcp_sendrecv_generic_if(minidlna_t)
#corenet_tcp_sendrecv_generic_node(minidlna_t)
#corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
#
corenet_udp_bind_generic_node(minidlna_t)
#corenet_udp_bind_ssdp_port(minidlna_t)
allow minidlna_t my_ssdp_port_t:udp_socket { name_bind recv_msg send_msg };
#corenet_udp_sendrecv_generic_if(minidlna_t)
#corenet_udp_sendrecv_generic_node(minidlna_t)
#corenet_udp_sendrecv_ssdp_port(minidlna_t)
#
#files_search_var_lib(minidlna_t)
#
auth_use_nsswitch(minidlna_t)
#
#logging_search_logs(minidlna_t)
#
miscfiles_read_localization(minidlna_t)
miscfiles_read_public_files(minidlna_t)
#
#tunable_policy(`minidlna_read_generic_user_content',`
# userdom_list_user_tmp(minidlna_t)
# userdom_read_user_home_content_files(minidlna_t)
# userdom_read_user_home_content_symlinks(minidlna_t)
# userdom_read_user_tmp_files(minidlna_t)
# userdom_read_user_tmp_symlinks(minidlna_t)
#',`
# files_dontaudit_list_home(minidlna_t)
# files_dontaudit_list_tmp(minidlna_t)
#
# userdom_dontaudit_list_user_home_dirs(minidlna_t)
# userdom_dontaudit_list_user_tmp(minidlna_t)
# userdom_dontaudit_read_user_home_content_files(minidlna_t)
# userdom_dontaudit_read_user_tmp_files(minidlna_t)
#')